Three general wireless attacks are to use a fake access point (AP), or use a fake AP with a static extended service set ID (ESSID), or use a fake AP and an “evil twin.” All can be set up and executed instantly.
By setting up the fake AP, a hacker can obtain complete control over all TCP/IP connections passing through it. At that point, intercepting network traffic and capturing or changing it becomes useless. With a SSID that is known to the unsuspecting victim, the fake access point cannot be distinguished from the original access point.
A hacker can set up a fake AP with a static ESSID and channel designation. This attack helps to target particular victims whose devices want to connect with a particular ESSID. The attack starts by launching a fake AP simultaneously with a DHCP server to give IP addresses to the victims. As connections are established, each victim will be assigned an IP address, and traffic will be tunneled within the hacker’s system.
Another wireless attack choice is to set up an “evil twin” access point. This changes from the static attack in that it replies to all beacons from potential victims even while the original AP is replying. It informs the victims that it is really the AP they are looking to connect with regardless of ESSID.
Those victims who hear from the evil twin first will use its data rather of that from the original AP. The setup and execution are similar to the static attack, except the ESSID and channel designations are ineffective. This attack listens and replies to all requests on any channel. This attack can be performed within an organization, but is most useful when a less targeted approach is required, in locations such as shops, airports, trains, airplanes, hotels, or anywhere a mobile device is looking for a connection to its organization’s network or other networks.
At times, setting up a fake AP is not enough. If a potential victim is already connected to a wireless network, they are less likely to turn to the attacker’s connection.
In an effort to hasten a victim’s connection, a denial of service attack can be launched to de-authenticate devices from their original access point. A “last man standing” strategy is to disallow service to all APs in the environment by using a DoS attack, leaving the attacker’s fake AP as the only one available to the possible victims.